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Abstract 


In  this  report,  we  study  tolerance  of  semantic  faults,  one  of  the  crucial  issues  in  the  Sim¬ 
plex™  architecture.  In  particular,  we  examine  semantic  faults  that  cause  the  controlled  device 
to  be  unsafe  (i.e.,  unable  to  carry  out  its  normal  operation)  and  eventually  cause  the  device  to 
become  damaged.  We  also  consider  fault  detection  as  a  safety  check.  For  the  class  of  control 
systems  operating  around  an  equilibrium,  the  objective  of  maintaining  the  safety  of  the  con¬ 
trolled  device  is  formulated  as  a  stabilization  problem,  and  the  safety  of  the  controlled  device 
is  tested  against  the  stability  region  of  the  device  under  the  safety  control.  To  establish  the 
stability  region,  we  apply  the  Lyapunov  stability  theory  and  linear  matrix  inequality  (LMI) 
methodologies.  It  is  shown  that  the  stability  region  for  a  given  safety  controller  as  well  as  a 
safety  control  law  can  be  systematically  derived  by  LMI-based  approaches.  We  conclude  the 
report  with  a  summary  of  the  procedure  for  deriving  the  safety  check  and  safety  controller  for 
a  given  application. 


™  Simplex  is  a  trademark  of  Carnegie  Mellon  University. 
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1  Introduction 


With  the  rapid  advancement  of  computing  technology,  the  real-time  control  of  physical  de¬ 
vices  has  shifted  from  the  analog  domain  to  the  digital  domain,  and  control  implementations 
have  become  an  issue  of  software  development.  The  so-called  real-time  computer-controlled 
systems  have  been  seen  in  all  practices,  ranging  from  simple  motion-control  systems  to  large- 
scale,  complex  systems.  Figure  1  shows  a  typical  real-time  computer-controlled  system. 
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Figure  1:  A  Typical  Real-Time  Computer-Controiled  System 

In  this  system,  the  control  unit  is  a  computer,  which  consists  of  an  analog  to  digital  (A/D) 
converter,  computing  processes  to  generate  control  commands,  a  real-time  clock,  and  a  digi¬ 
tal  to  analog  (D/A)  converter.  The  control  unit  controls  a  group  of  physical  plants.  The  real¬ 
time  clock  governs  periodic  sampling  of  the  physical  plants  and  control  update.  For  each 
sample,  measurements  of  the  physical  plants  are  fed  to  the  control  unit  and  are  converted  to 
digital  signals  through  the  A/D  converter.  Based  on  these  measurements,  control  commands 
are  computed,  converted  to  analog  signals  through  the  D/A  converter,  and  sent  to  the  physical 
plants.  Such  a  control  update  cycle  is  repeated  at  a  prescribed  sampling  rate.  For  ease  of  ex¬ 
position,  we  have  defined  a  controller  as  the  software  implementation  of  a  control  law,  a 
physical  plant  (or  plant)  as  the  physical  device  to  be  controlled,  and  the  overall  system  as  the 
complete  computer-controlled  system.  It  is  worthwhile  to  emphasize  that  Figure  1  presents 
only  the  basic  configuration  of  a  computer-controlled  system.  In  a  large-scale,  complex  sys¬ 
tem,  the  system  shown  in  Figure  1  could  be  a  subsystem,  which  is  often  referred  to  as  an  em¬ 
bedded  system. 
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To  take  full  advantage  of  advanced  computing  technology,  most  users  want  to  be  able  to  up¬ 
grade  and  evolve  computer-controlled  systems  (especially  large-scale,  complex  systems).  In 
most  cases,  the  ability  to  upgrade  and  evolve  the  overall  system  depends  on  the  system’s 
ability  to  adopt  software  changes.  Since  many  systems  are  life  critical,  reliability  and  avail¬ 
ability  are  the  essential  requirements  for  these  systems.  To  achieve  high  reliability  and  avail¬ 
ability  when  the  system  is  upgrading  or  evolving,  it  is  better  to  introduce  software  change  in 
a  safe  and  reliable  fashion  while  the  system  is  running.  The  Simplex™  architecture  is  de¬ 
signed  for  this  purpose.  By  facilitating  replacement  units  and  analytically  redundant  control¬ 
lers,  the  Simplex  architecture  allows  an  upgraded  controller  to  be  introduced  to  the  system 
online  to  control  the  plant  under  the  protection  of  the  so-called  safety  controller.  The  up¬ 
graded  controller  will  continue  to  control  the  plant  unless  it  contains  faults  that  wUl  cause  the 
plant  to  malfunction.  If  this  is  the  case,  the  safety  controller  will  take  over  when  the  fault  is 
detected.  In  this  report,  we  study  the  issue  of  fault  detection  related  to  controller  design  and 
implementation,  and  the  control  switching  logic  for  fault  tolerance.  In  particular,  we  focus  on 
establishing  the  safety  region  (to  be  defined  precisely  in  subsequent  sections)  and  propose  a 
systematic  approach  for  deriving  the  safety  region  and  designing  the  safety  controller. 

This  report  is  organized  as  follows.  In  Section  2,  we  briefly  review  the  Simplex  architecture 
and  formally  define  the  notion  of  safety  region.  In  Section  3,  we  establish  the  relation  be¬ 
tween  the  safety  region  and  the  stability  region  for  a  class  of  control  systems,  and  we  define 
the  safety  control  objective  as  stabilization  of  the  plant.  The  stability  analysis  is  carried  out 
based  on  the  Lyapunov  stabilization  theory.  In  Section  4,  we  formulate  the  stabilization  con¬ 
trol  as  a  linear  matrix  inequality  (LMI)'  problem  and  solve  the  problem  by  using  the  existing 
approaches  in  LMI  literature.  In  particular,  we  first  derive  the  stability  region  for  the  closed- 
loop  system  under  a  given  linear  state  feedback  control,  and  then  design  a  state  feedback 
control  and  derive  the  corresponding  stability  region.  Furthermore,  we  discuss  the  design  of 
the  state  feedback  control  with  certain  jprescribed  performance  requirements.  In  Section  5,  we 
conclude  the  report  with  a  summary  of  what  has  been  done  and  the  lessons  learned. 


™  Simplex  is  a  trademark  of  Carnegie  Mellon  University. 

*  A  linear  matrix  inequality  (LMI)  is  an  inequality  of  a  linear  combination  of  matrix  variables.  For 
example,  if  A  is  an  nx«  constant  matrix  and  Q  is  an  nxn  matrix  variable,  then  the  inequality 
QA^  +  AQ  <  0  is  an  LMI. 
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2  The  Simplex  Architecture  and  the  Safety 
Region 


The  Simplex  architecture  is  a  software  technology  that  supports  safe,  reliable,  online  software 
upgrade.  A  detailed  description  of  the  technology  is  given  in  the  Simplex  Architecture  Tuto¬ 
rial?  Applications  of  the  Simplex  architecture  in  control  systems  are  discussed  in  [Seto  98] 
and  [Sha  97].  In  this  report,  we  will  concentrate  on  the  core  functionality  of  the  Simplex  ar¬ 
chitecture — ^fault  tolerance. 

The  fault  tolerance  in  the  Simplex  architecture  is  based  on  the  concept  of  analytic  redun¬ 
dancy.  The  analytically  redundant  controllers  are  designed  to  take  into  account  the  upgrade  of 
control  algorithms.  In  particular,  a  highly  reliable  controller,  the  safety  controller,  is  designed 
to  work  with  the  upgraded  controller,  the  implementation  of  the  upgraded  control  algorithm. 
When  the  upgraded  controller  is  introduced  to  the  system,  it  will  take  control  of  the  physical 
plant,  and  the  dynamic  behavior  of  the  plant  will  be  monitored.  The  upgraded  controller  will 
continue  to  control  the  physical  plant  if  the  behavior  of  the  plant  is  satisfactory  with  respect 
to  some  prescribed  criteria.  If  the  plant  does  not  behave  in  a  desired  way,  the  upgraded  con¬ 
troller  may  contain  bugs.  As  a  result,  the  upgraded  controller  will  be  disabled,  and  the  safety 
controller  will  take  over  control  to  maintain  the  operation  of  the  overall  system.  Then  the  up¬ 
graded  controller  will  be  taken  offline  to  be  investigated  and  repaired.  After  it  is  fixed,  the 
upgraded  controller  will  be  reinserted  into  the  system  and  will  take  back  control  of  the  physi¬ 
cal  plant.  Such  a  cycle  will  be  repeated  until  the  reliability  of  the  upgraded  controller  is  the 
same  as  the  reliability  of  the  safety  controller.  In  this  way,  we  will  have  a  highly  reliable  con¬ 
troller  with  the  upgraded  feature. 

The  fault  tolerance  in  the  Simplex  architecture  consists  of  two  parts:  fault  detection  and  fault 
recovery.  As  mentioned  earlier,  fault  detection  is  related  to  the  switching  criteria  used  when 
the  control  of  the  physical  plant  is  switched  from  the  upgraded  controller  to  the  safety  con¬ 
troller,  while  fault  recovery  concerns  the  safety  control,  which  prevents  the  plant  from  failing. 
Apparently,  different  faults  may  involve  different  detection  mechanisms.  In  the  Simplex  Ar¬ 
chitecture  Tutorial,  Peter  Feiler  (of  the  Software  Engineering  Institute)  summarizes  the  types 
of  faults  that  the  Simplex  architecture  can  handle  (namely,  timing  faults,  semantic  faults,  and 
resource-sharing  faults).  In  this  report,  we  will  focus  on  the  semantic  faults,  which  are  faults 
caused  by  incorrect  design  and  implementation  of  the  upgraded  control  algorithm.  This  type 


^  The  Simplex  Architecture  Turorial  is  available  from  Peter  Feiler  of  the  Software  Engineering 
Institute,  Pittsburgh,  Pennsylvania. 
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of  fault  will  cause  malfunctioning  in  the  physical  plant  and  cause  the  plant  to  enter  an  unsafe 
state  from  which  no  control  will  be  able  to  bring  the  plant  back  to  normal  operation.  Eventu¬ 
ally  such  a  state  will  lead  to  physical  damage.  Therefore,  the  detection  of  semantic  faults  can 
be  defined  as  the  point  where  the  upgrade  controller  is  about  to  drive  the  physical  plant  into 
an  unsafe  state.  In  this  sense,  semantic  fault  detection  becomes  a  safety  check  of  the  physical 
plant.  Given  that  the  safety  controller  will  carry  out  the  recovery  once  a  semantic  fault  is  de¬ 
tected,  the  safety  check  will  depend  on  the  control  capability  of  the  safety  controller.  In  other 
words,  for  a  given  safety  controller,  the  upgrade  controller  may  contain  a  semantic  fault  if  it 
is  driving  the  physical  plant  to  a  state  from  which  the  safety  controller  can  not  bring  the  plant 
to  normal  operation.  The  safety  of  a  physical  plant  with  respect  to  the  safety  controller  is  de¬ 
fined  precisely  in  [Seto  98],  and  we  will  review  it  in  the  remainder  of  this  section. 

A  formal  description  of  plant  safety  is  based  on  a  mathematical  model  of  the  plant.  Let 
xeR"  be  the  n-dimensional  state  of  the  physical  plant,  and  «€/?'”  be  the  m-dimensional 
control  input  to  the  plant.  The  class  of  physical  plants  that  we  are  interested  in  can  be  de¬ 
scribed  by  the  following  state  equations: 

x  =  f{x,u{x,t))  with  (1) 

state  constraints:  (x)  <  0,...,  q,  (jc)  <  0 ,  (2) 

control  constraints:  p^(u)<0,..., p^(u)<0.  (3) 

Definition  2.1:  Given  the  plant  in  Equation  (1)  with  the  constraints  in  Equations  (2)  and  (3), 

1 .  A  state  X  is  admissible  if  it  satisfies  the  constraints  in  Equation  (2).  The  set  of  admissible 
states  F  is  defined  as  F  =  {r : (x)  ^  0,..., (.x)  <  O}. 

2.  A  control  input  u  is  admissible  if  it  satisfies  the  constraints  in  Equation  (3).  The  set  of 
admissible  controls  G  is  defined  as  G  =  {« : Pi(u)  <  0,...,  p^iu)  <  O}. 

The  control  law  u  can  be  either  open  loop  or  state  feedback.  The  state  and  control  constraints 
together  give  the  physical  constraints  to  the  physical  system,  which  are  usually  treated  as 
hard  constraints.  The  physical  constraints  reflect  operating  limits  for  physical  devices  or  other 
considerations  such  as  lack  of  sufficient  knowledge  to  operate  the  physical  system  outside  of 
these  boundaries.  The  safety  of  the  system  is  concerned  with  the  operation  of  the  physical 
system  without  violating  the  physical  constraints.  Soft  constraints  may  also  exist,  reflecting 
regions  within  which  certain  desired  control  performance  can  be  maintained.  Violations  of 
these  performance-related  limits  do  not  necessarily  threaten  the  safety  or  viability  of  the 
physical  system,  however.  In  this  report,  we  focus  on  the  class  of  systems  in  Equations  (1)- 
(3)  with  hard  physical  constraints. 

Example  2.1:  Consider  a  simple  mechanical  system  as  shown  in  Figure  2. 
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Figure  2:  A  Simple  Mechanical  System 

Let  =  x,X2  =  X,  u  =  F I  m .  Then  the  equations  of  motion  are  given  by 


fi,  =X2 

subject  to 

[X2=U 


Xl\ ^  x„ 


Im 


The  safety  of  the  physical  plant  can  be  described  with  respect  to  a  region  in  the  state  space 
where  the  safety  controller  can  control  the  plant  without  violating  the  physical  constraints.  To 
characterize  this  region,  we  first  define  the  operational  region  of  a  controller. 

Deflnition  12:  Consider  the  plant  in  Equations  (l)-(3).  An  operational  region  (OR)  for  a 
given  control  law  u,  which  takes  values  from  G,  is  defined  as  a  subset  0„  cF  such  that  un¬ 
der  the  control  of  u,  the  trajectory  of  the  plant,  starting  from  any  state  in  ,  will  remain  in 
and  satisfy  the  control  objective  of  u. 

Since  the  safety  controller  is  designed  with  the  control  objective  of  keeping  the  physical  sys¬ 
tem  from  violating  the  physical  constraints,  the  operational  region  of  the  safety  controller  can 
serve  as  a  characterization  of  the  plant  safety.  For  instance,  we  could  say  that  the  plant  is  safe 
if  its  state  is  inside  the  OR  of  the  safety  controller;  otherwise,  it  is  unsafe.  However,  such  a 
characterization  can  not  be  used  as  the  switching  criterion  for  the  safety  controller  to  take 
over.  By  the  definition  of  the  OR,  it  is  clear  tihat  the  control  objective  of  a  control  law  u  may 
not  be  achieved  if  the  physical  plant  starts  from  any  state  outside  of  the  OR  of  u.  Thus  it 
would  be  too  late  for  the  safety  controller  to  keep  the  plant  from  violating  the  physical  con¬ 
straints  once  the  state  of  the  physical  system  is  out  of  its  OR.  To  prevent  this,  we  define  a  re¬ 
stricted  operational  region  (ROR)  as  follows: 

DeHnition  2.3:  Given  a  plant  in  Equations  (l)-(3),  let  Tbe  the  sampling  period  of  the  overall 
system  and  <l)^{tQ,XQ,t)  be  the  solution  of  Equation  (1)  at  />/„  with  v  the  control  input  tak¬ 
ing  values  from  G  and  (t^ ,  Xq  )  the  initial  condition.  A  restricted  operational  region  of  the 
control  law  u  is  defined  as  a  subset 

={c:  xe  O^yt^  >0,Vve  G}. 

Clearly,  the  restricted  operational  region  contains  all  the  states  from  which  the  state  of  the 
plant  at  the  next  sample  will  still  be  a  point  inside  the  corresponding  operational  region,  no 
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matter  what  control  is  applied  to  the  plant.  Based  on  the  definition  of  a  restricted  operational 
region,  we  define  the  notion  of  a  safety  region  to  characterize  the  safety  of  the  plant. 

Deflnition  2.4:  Consider  a  plant  given  in  Equations  (l)-(3). 

1 .  A  safety  region  of  a  safety  control  law  that  takes  values  from  G  is  defined  as  a  restricted 
operational  region  of  (i.e.,  /?„  ).  In  addition,  if  all  the  trajectories  of  the  plant  can  be 

driven  to  a  subset  S  a  by  ,  the  safety  region  is  said  to  be  recoverable  to  S. 

2.  A  given  state  of  the  physical  system  is  safe  with  respect  to  a  safety  control  if  it  is 
inside  .  Otherwise  it  is  unsafe. 

The  safety  region  defined  above  may  still  not  be  conservative  enough  when  there  is  one  pe¬ 
riod  delay  in  control  implementation,  in  which  case  the  control  command  computed  based  on 
the  state  at  time  t  is  sent  to  the  physical  plant  at  time  t+T.  To  see  this,  we  suppose  that  the 
state  of  the  physical  plant  is  detected  to  be  out  of  the  safety  region  at  t.  Although  the  safety 
controller  will  then  be  chosen  to  control  the  plant,  its  control  command  will  not  affect  the 
physical  plant  until  time  t+T.  At  time  t+T,  however,  the  physical  plant  may  have  already 
evolved  to  a  state  out  of  the  OR  of  the  safety  controller.  Therefore,  when  the  system  involves 
one  period  delay  in  control  implementation,  the  safety  region  of  the  safety  controller  is 
further  restricted  as  /?„  =  {x ;  x e  it^ ,x,tQ  +  2T) e  >  0,  Vv e  cj. 
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3  Lyapunov  Stability  Theory  in  Safety 
Control 


When  the  physical  plant  involves  equilibria  or  steady  state,  the  safety  of  the  plant  can  be 
characterized  by  the  stability  of  the  plant.  In  this  case,  the  safety  controller  can  be  designed  to 
maintain  the  Stability  of  the  physical  plant,  and  the  safety  region  can  be  defined  as  the  stabil¬ 
ity  region  of  the  plant  under  the  safety  control.  In  this  section,  we  first  briefly  review  the  Ly¬ 
apunov  stability  theory,  then  formulate  the  safety-related  issues  as  a  stabilization  problem. 
Most  of  the  results  in  this  section  are  well  established  in  system  and  control  literature,  and  we 
will  simply  state  the  results  without  proof.  For  details,  readers  can  refer  to  a  number  of  con¬ 
trol  texts  (e.g.,  [Luenberger  79]). 

3.1  Lyapunov  Stability  Theory 

Before  getting  into  the  details  of  the  Lyapunov  stability  theory,  we  will  first  give  some  defi¬ 
nitions  related  to  the  stability  of  a  dynamic  system.^  Here  we  consider  a  class  of  continuous¬ 
time  autonomous  dynamic  systems  described  by  the  following  equation; 

x  =  f(x(t)),xeR''  (4) 

Definition  3.1:  An  equilibrium  of  the  system  in  Equation  (4)  is  a  state  x^  satisfying 
f(x,)=0. 

Definition  3.2:  Suppose  x^  is  an  equilibrium  state  of  a  system  in  Equation  (4).  Then, 

1.  is  stable  if  for  any  f  >  0,  there  exists  a  ^  ,  0  <  ^  <  f ,  such  that  for  all  x(ro) 

satisfying  | jcftp )  -  |  <  ^ ,  we  have  |x(0  -  |  <  f ,  Vr  >  to  • 

2.  X,  is  asymptotically  stable  if  it  is  stable  and  limx(r)  =  x^ . 

3.  jc,  is  unstable  if  it  is  not  stable. 

Definition  3.3:  A  dynamic  system  with  an  equilibrium  state  x^  is  said  to  be  (asymptotically) 
stable  if  x^  is  a  (an  asymptotically)  stable  equilibrium.  A  stability  region  S  of  the  system  is 


^  In  this  and  subsequent  sections,  we  will  often  use  the  word  “system”  to  refer  to  a  plant  whose 
dynamics  can  be  described  by  a  set  of  differential  equations.  This  should  not  be  confused  with  the 
system  that  we  defined  previously  with  respect  to  the  overall  computer-controlled  system. 
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defined  as  a  region  in  the  system  state  space  from  which  the  system  trajectories  will  stay  in¬ 
side  a  bounded  region  B  3  5  .  Furthermore,  if  B  =  5,  5  is  called  a  restricted  stability  region. 

Definition  3.4:  A  function  V(x)  defined  in  a  neighborhood  U  of  an  equilibrium  of  a  system 
in  Equation  (4)  is  a  Lyapunov  function  if  it  satisfies  the  following  conditions: 

1.  Vis  continuous  and  has  continuous  first  order  partial  derivatives; 

2.  x^  is  the  unique  minimum  of  V(x)  with  respect  to  all  other  states  in  f/; 

3.  The  time  derivative  V(x)<0,\/xeU  . 

The  above  definitions  have  clear  physical  implications.  The  definition  of  equilibrium  state 
implies  that,  once  the  system  is  at  an  equilibrium,  it  will  stay  there  forever.  For  a  dynamic 
system  with  a  stable  equilibrium,  if  the  system  starts  close  to  the  equilibrium,  it  will  remain 
close  to  the  equilibrium  for  all  future  time.  Furthermore,  if  the  equilibrium  is  asymptotically 
stable,  the  trajectory  of  the  system  will  tend  to  the  equilibrium  as  time  increases.  The  stability 
region  clearly  characterizes  the  states,  starting  from  which  the  system  will  be  maintained 
close  to  the  equilibrium,  or  will  converge  to  the  equilibrium.  In  safety  control,  we  are  inter¬ 
ested  in  the  stability  region  with  an  asymptotically  stable  equilibrium.  Finally,  the  definition 
of  the  Lyapunov  function  represents  an  analogy  to  the  energy  dissipation  process  with  mini¬ 
mum  energy  at  the  equilibrium  point.  Figure  3  illustrates  some  of  the  definitions. 


Figure3.a  Illustration  of  stable,  asymptotically  Figure  3.b  Illustration  of  a 

stable,  and  unstable  equilibrium.  Lyapunov  function. 


Figures:  Illustrations  of  Stability-Related  Definitions 

Theorem  3.1  (Lyapunov  Stability  Theorem):  For  a  dynamic  system  in  Equation  (4)  with  an 
equilibrium  x^ ,  if  there  exists  a  Lyapunov  function  V(x)  in  a  neighborhood  1/  of  x^,  then  the 

equilibrium  x^  is  stable.  Furthermore,  if  the  time  derivative  V (x)  is  strictly  negative  every¬ 
where  in  {/  except  x^ ,  the  equilibrium  is  asymptotically  stable. 


The  Lyapunov  stability  theorem  addresses  two  issues.  First,  for  any  given  dynamic  system 
with  an  equilibrium,  if  a  Lyapunov  function  can  be  constructed  with  respect  to  the  equilib- 
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rium,  then  a  conclusion  of  the  system  stability  (i.e.,  the  system  is  stable  or  asymptotically 
stable  about  the  equilibrium)  can  be  made.  However,  finding  a  Lyapunov  function  is  a  suffi¬ 
cient  condition  for  system  stability.  In  other  words,  it  can  not  be  concluded  that  the  system  is 
unstable  if  no  Lyapunov  function  has  yet  been  found.  Second,  a  stability  region  can  be  ob¬ 
tained  from  a  Lyapunov  function.  Suppose  there  exists  a  Lyapunov  function  V(x)  in  a  neigh¬ 
borhood  f/  of  an  equilibrium  of  a  given  system.  Then  the  Lyapunov  function  theorem  implies 
that  there  exists  a  positive  constant  c  such  that  the  region  defined  by  S  =  {x:Vix)<c,  xeU} 

is  a  stability  region.  It  is  worthwhile  to  note  that  the  stability  region  defined  in  this  way  is  not 
unique,  and  the  set  S  with  the  largest  c  would  give  the  largest  stability  region  defined  by  this 
particular  Lyapunov  function.  Since  the  time  derivation  of  the  Lyapunov  function  is  always 
non-positive,  the  stability  region  defined  by  a  Lyapunov  function  will  be  restricted.  Thus,  in 
the  rest  of  this  report,  we  will  simply  use  stability  region  in  the  restricted  sense  when  we  de¬ 
rive  the  stability  region  from  a  Lyapunov  function. 

As  a  subclass  of  the  systems  in  Equation  (4),  linear  time-invariant  (LTI)  systems  are  of  spe¬ 
cial  interest.  Numerous  results  related  to  this  class  of  systems  have  been  well  established.  In 
the  next  few  paragraphs,  we  will  show  how  the  Lyapunov  stability  theorem  is  applied  to  this 
type  of  system.  This  class  of  system  is  given  by  the  following  equation: 

x  =  Ax,  xs  R" 

Theorem  3,2:  An  LTI  system  in  Equation  (5)  is  asymptotically  stable  at  the  equilibriums  =  0 
if  and  only  if  all  the  eigenvalues  of  matrix  A  are  in  the  left  half  complex  plane. 

Definition  3  A  system  in  Equation  (5)  is  qmdratically  stable  at  the  equilibrium  s  =  0  if 
there  exists  a  positive  definite  matrix  P  such  that  the  quadratic  function  V(s)  =  x^  Px  has 
negative  derivatives  along  all  the  trajectories  of  Equation  (5). 

Theorem  33:  A  system  in  Equation  (5)  is  asymptotically  stable  at  the  equilibrium  s  =  0  if 
and  only  if  it  is  quadratically  stable. 

The  equivalence  of  asymptotic  stability  and  quadratic  stability  enables  the  systematic  study 
of  Lyapunov  stability  in  LTI  systems.  Specifically,  the  construction  of  a  Lyapunov  function  is 
narrowed  to  quadratic  forms;  however,  such  quadratic  Lyapunov  functions  always  exist  as 
long  as  the  LTI  system  is  asymptotically  stable.  In  other  words,  the  existence  of  a  quadratic 
Lyapunov  function  is  a  necessary  and  sufficient  condition  for  the  system  to  be  asymptotically 
stable.  To  apply  the  Lyapunov  stability  theorem  in  an  LTI  system,  we  consider  a  quadratic 
function  of  state  variables  given  by  V(x)  =  x^Px ,  where  P  is  a  positive  definite  matrix,  de¬ 
noted  by  P  >  0.‘^  We  will  show  the  conditions  under  which  V(x)  qualifies  as  a  Lyapunov 
function,  and  therefore,  the  system  is  asymptotically  stable.  Apparently,  any  function  V(x) 


'*  Function  V(x)  is  also  called  a  positive  definite  function  in  the  sense  that  F(x)  >  (X  Vx  ^  0 
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just  defined  satisfies  Conditions  1  and  2  in  the  definition  of  a  Lyapunov  function.  To  check 
the  third  condition  in  the  definition,  we  differentiate  V(x)  along  the  system  trajectory,  and 
obtain  the  following: 

V  =  x'^(A'^P  +  PA)x 

Then  V  <  0  implies  that  the  matrix  A^  P  +  PA<0.  Hence  we  conclude  that  the  system  in 
Equation  (5)  is  asymptotically  stable  if  and  only  if  there  exist  matrices  Pot  Q  =  P"*  such 
that 


P>0,  A^P  +  PA<0  or  Q>0,  QA^ +AQ<0  (6) 

This  is  also  known  as  a  feasible  problem  in  the  context  of  LMI.  Namely,  the  LMIs  in  Equa¬ 
tion  (6)  are  feasible  if  there  exist  matrices  PorQ  =  P  '  satisfying  Equation  (6).  Moreover,  a 
system  in  Equation  (5)  is  asymptotically  stable  if  and  only  if  LMIs  in  Equation  (6)  are  feasi¬ 
ble.  This  translates  a  stability  problem  to  an  LMI  problem  which  can  be  solved  by  the  inte¬ 
rior-point  methodology.  We  will  discuss  the  solutions  to  this  type  of  LMI  problem  in  Section 
4. 

3.2  A  Stabilization  Problem 

In  the  previous  subsection,  the  Lyapunov  stability  theory  was  presented  for  a  class  of 
autonomous  systems.  In  this  subsection,  we  will  apply  the  theory  to  control  systems  de¬ 
scribed  in  Equations  (1)— (3).  Specifically,  we  will  concentrate  on  safety  control  since  it  is 
responsible  for  maintaining  the  safety  of  the  physical  plant,  a  crucial  functionality  in  the 
Simplex  architecture.  As  mentioned  earlier,  the  safety  of  the  physical  plant  can  be  character¬ 
ized  by  the  stability  of  the  plant  when  there  is  an  equilibrium  in  the  set  of  admissible  states. 
Namely,  guaranteeing  the  safety  of  a  plant  is  equivalent  to  maintaining  stability  of  the  plant 
when  the  plant  is  operating  around  an  equilibrium;  thus,  a  safety  region  can  be  defined  as  a 
stability  region.  In  this  sense,  the  safety  controller  can  be  designed  to  stabilize  the  plant 
around  the  equilibrium,  and  a  corresponding  stability  region  is  derived  as  the  safety  region.  A 
formal  problem  statement  is  given  below.  Again,  consider  a  class  of  plants 

x  =  fix,u)  with  qi(x)<0,  i  =  l,...,/,  and  pjiu)<0,  j  =  (7) 

Suppose  there  is  a  unique  equilibrium  (x^,u^)  defined  by 

=  0,  ^  0,  Vi  =  1,...,/,  and  Pjiu^)  <  0,  Vj  =  l,...,r. 

Then  the  control  objective  is  to  design  a  state  feedback  control  law  u(x(t))  with 

u{x(t))  eG,  V/  >  Iq  ,  such  that  the  closed-loop  system  x  =  f{x, u(x))  is  asymptotically  stable 
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at  .  Furthermore,  find  the  largest  stability  region  of  the  closed-loop  system  contained  in  the 
set  of  admissible  states. 


The  problem  posed  is  a  stabilization  problem,  and  the  solution  can  be  obtained  from  the  Ly¬ 
apunov  stability  theory.  With  the  control  law  designed  in  a  state  feedback  form,  we  conclude 
that  the  closed-loop  system  is  an  autonomous  system,^  and  the  Lyapunov  stability  theory  in¬ 
troduced  in  previous  subsection  can  be  applied  directly.  It  is  not  trivial,  however,  to  solve  a 
nonlinear  stability  problem.  Except  for  a  small  subclass  of  systems  (for  instance,  systems  that 
can  be  linearized  by  state  feedback),  most  of  the  problems  do  not  have  known  analytic  solu¬ 
tions.  Even  though  there  are  analytic  solutions  to  some  of  the  problems,  they  may  not  be  gen¬ 
eralized  to  other  problems.  To  develop  a  systematic  approach  for  control  design  and  stability 
region  derivation,  we  adopt  the  standard  scheme  to  deal  with  nonlinear  systems  (namely, 
linearizing  the  nonlinear  system  at  the  equilibrium  state),  and  then  solve  the  problems  with 
the  linearized  system.  Specifically,  let  6x  =  x-x^,  and  6u  =  u-u^.  Then  expanding  function 

f(x,u)  by  Taylor  expansion  and  keeping  only  the  first  order  terms,  we  get  the  following: 


&c  =  ASx  +  BSu 


where  A  = 


dx 


X=Xg 

U=Ug 


and 


B  = 


df(x,u) 

du 


X=Xf 


are  constant  matrices.  This  transforms  the  nonlinear  stabilization  problem  to  a  linear  one.  In 
the  next  section,  we  present  several  LMI-based  approaches  to  solve  the  linear  stability  prob¬ 
lem. 


^  It  is  not  necessary  for  the  control  law  to  be  state  feedback,  and  it  could  be  an  open  control  loop  (for 
instance,  a  big-bang  control).  If  the  control  depends  on  time  explicitly,  the  controlled  system  is  no 
longer  autonomous.  Nevertheless,  in  this  report,  we  will  focus  on  the  class  of  system  in  Equation  (7) 
with  state  feedback  control  law  u(x). 
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4  Stability  Analysis  with  LMI-Based 
Approaches 


In  the  previous  section,  we  defined  the  safety  control  as  the  control  that  stabilizes  the  plant  at 
the  equilibrium  and  characterized  the  safety  region  as  a  stability  region  of  the  plant  under 
safety  control.  In  this  section,  we  present  LMI-based  approaches  to  solve  the  linear  stabiliza¬ 
tion  problem.  In  particular,  we  first  formulate  the  problem  in  an  LMI  form,  and  then  solve  it 
for  two  different  cases:  (1)  Derive  the  stability  region  for  a  given  safety  controller,  and  (2) 
design  the  safety  controller  and  derive  the  corresponding  stability  region.  Finally,  we  discuss 
further  improvements  of  the  presented  LMI  approaches.  The  fundamental  concept  and  basic 
schemes  used  in  this  section  are  described  in  detail  by  Boyd  et  al  in  [Boyd  94]. 

As  we  discussed  earlier,  the  stabilization  problem  will  be  solved  for  a  class  of  linear  time- 
invariant  systems,  which  could  be  linearized  approximations  of  the  physical  plants.  Suppose 
this  class  of  LTI  systems  is  described  as  follows: 

x  =  Ax  +  Bu  with  constraints:  ajx<l,  i  =  and  b^u<l,  j  =  l,...,r  (8) 

where  xe  R"  is  a  vector  of  state  variables,  ue  R"'  is  a  vector  of  control  inputs,  and 
flj  G  R"  and  bj  g  /?"  are  constant  vectors.  Clearly,  the  equilibrium  state  x=0  is  a  point  in  the 

set  of  admissible  states.  The  control  objective  is  to  design  a  linear  state  feedback  control  in 
the  form  u  =  Kx  such  that  the  closed-loop  system  is  in  an  asymptotically  stable  state  at  the 
equilibrium.  Moreover,  the  controlled  system  will  evolve  in  a  feasible  region  in  the  state 
space,  where  no  constraints  will  be  violated.  This  implies  that  the  stability  region  of  the 
closed-loop  system  will  be  restricted  by  the  constraints.  ^A^th  the  control  law  u  =  Kx,  the 
closed-loop  system  is  written  as  follows; 

x  =  Ax  with  constraints  orjx  <  1,  k  =  1,...,  p  (9) 

where  A  =  A  +  BK,  =ak^  k  =  \,..,l,  al  =bl K,  j-\,..,r,k  =  l  +  j,  p  =  /  + r .  According 

to  the  Lyapunov  stability  theory,  the  system  in  Equation  (9)  is  asymptotically  stable  if  and 
only  if  there  exists  a  matrix  P  (or  (2  =  P^')  such  that 

P>0,  A^P  +  PA<0  or  Q>0,  QA^  +AQ<0  (10) 
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Then  a  stability  region  S  of  Equation  (9)  can  be  defined  as  follows: 


5  =  {a::  Px<l} 


(11) 


In  addition,  all  the  trajectories  of  the  closed-loop  system  in  Equation  (9),  starting  from  states 
in  S,  will  satisfy  the  constraints  if  the  stability  region  satisfies  the  constraints  (i.e., 
alx<l'^xe  S ,  k=  1,...,  p ).  The  following  Lemma  casts  the  constraints  in  an  LMI  form. 

Lemma  4.1:  Given  an  LTI  system  with  the  constraints  in  Equation  (9),  the  stability  region  S 
defined  in  Equation  (11)  satisfies  the  constraints  in  Equation  (9)  if  and  only  if 
<1,  *=l,...,p. 

Proof:  By  definition,  5  satisfies  the  constraints  if  and  only  if  alx<lVxe  S,  k=  1,...,  p . 
This  is  equivalent  to  max a]^x^\,k=\,...,p.  Next  we  will  show  m^ a\ x  ■‘or*  , 

=1,...,  p ,  which  implies  the  Lemma.  To  this  end,  we  solve  the  following  nonlinear  pro¬ 
gramming  problem  for  each  k  =  l,...,p: 

maximize  a\x  subject  to  x^  Px<\ 

Let  X*  be  the  optimal  solution.  Then  jc*  satisfies  the  Kuhn-Tucker  conditions: 
a*  -  =  0,  A(1  -  x:*^Px* )  =  0,  A  >  0 

Apparently,  there  is  a  solution  to  x*  only  if  A>0.  Solving  the  above  equations,  we  obtsdn 
the  following: 

X*  ={p-') aj =>  max x  =  p-^a^ 


Then  we  conclude  that  maxQrJx<lifandonly  if  alP  <1  forall^=l,...,p. 

x^S 


We  now  complete  the  transformation  of  a  linear  stabilization  problem  to  a  feasible  problem 
with  the  following  summary:  The  plant  is  stabilizable  (i.e.,  it  can  be  stabilized  at  the  equilib¬ 
rium  without  violating  the  constraints),  if  there  exists  a  matrix  P  (or  Q  =  P'^)  such  that  the 


following  LMIs  are  satisfied: 

>>0; 

-A^P-hP]4<0;  or 

alP~'a^  <1,  k=l,...p. 


'Q>o-, 

•QA^ +AQ<0;  (12) 

alQa^  <1,  k  =  \,...p. 
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In  the  above  feasible  problem,  the  solutions  to  and  P  (or  0  are  not  unique.  In  fact,  there 
are  an  infinite  number  of  K  such  that  the  control  u  =  Kx  will  stabilize  the  plant  as  long  as  all 
the  eigenvalues  of  A  are  in  the  left  half  of  the  complex  plane.  In  addition,  for  each  K,  there 
may  be  an  infinite  number  of  stability  regions  defined  in  Equation  (11)  satisfying  the  con¬ 
straints.  Given  that  a  stability  region  is  derived  as  a  safety  region,  and  the  larger  the  safety 
region  is,  the  more  freedom  an  upgraded  controller  may  have  to  explore  new  functionalities, 
we  will  be  interested  in  the  largest  safety  region.  This  leads  to  two  different  cases  that  will  be 
investigated  next:  (1)  Find  the  largest  stability  region  with  a  given  safety  controller,  and  (2) 
design  the  safety  controller  such  that  the  resulting  stability  region  is  maximized. 

4.1  Stability  Region  with  a  Given  Controller 

In  this  case,  we  derive  the  safety  region  of  the  plant  controlled  by  a  given  controller  (i.e., 
u  =  Kx  with  K  given).  This  is  the  case  when  the  safety  control  design  and  the  safety  region 
derivation  are  carried  out  separately.  The  safety  control  could  be  designed  by  some  methods 
other  than  LMI,  for  instance,  the  linear  quadratic  regulation  (LQR)  technique  or  pole  place¬ 
ment  method,  when  some  performance  specifications  need  to  be  satisfied.  It  could  also  be  the 
control  algorithm  that  has  been  used  in  the  past  and  has  been  proven  reliable.  Given  that  the 
stability  region  defined  in  Equation  (11)  is  not  unique,  we  are  interested  in  deriving  the  larg¬ 
est  S  subject  to  the  constraints.  Since  each  stability  region  geometrically  defines  an  ellipsoid 
in  the  state  space  of  the  plant,  the  size  of  a  stability  region  is  referred  to  as  the  volume  of  the 
ellipsoid.  Hence  the  stability  region  in  this  case  will  be  derived  by  solving  an  optimization 
problem:  Maximize  the  volume  of  the  ellipsoid  subject  to  the  constraints. 

Since  the  control  gain  K  is  given,  matrix  A  is  completely  determined,  and  the  optimization 
problem  is  solved  over  all  feasible  matrices  Q  subject  to  LMI  constraints  in  Equation  (12). 
Since  the  volume  of  an  ellipsoid  given  by  S  =  {x :  x^Px^  1}  is  proportional  to  VdetP”*  , 
maximizing  the  volume  is  equivalent  to  minimizing  the  determinant  det  Q"’ .  Hence,  a  com¬ 
plete  LMI  problem  for  the  optimization  can  be  formulated  as  follows:  For  a  dynamic  plant 
x=Ax  with  constraints  ajx  <  1,  k  =  1,...,  p ,  find  the  matrix  Q  that 

minimizes  log  det  g"' 

subject  to  G  >  0; 

QA^  +AQ<0; 

alQa^<l,  k=l,...,p. 
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This  problem  is  solved  by  Vandenberghe  et  al  in  [Vandenberghe  98],  and  a  software  imple¬ 
mentation  of  the  algorithm  was  developed  by  Wu  and  Boyd  [Wu  97].^  The  following  example 
illustrates  the  derivation  of  the  stability  region  using  the  SDPSOL’  software. 


Example  4.1:  Consider  the  simple  mechanical  plant  given  in  Example  2.1.  Suppose  the 
physical  parameters  are  given  the  following  values: 

m  =  1  kg,  =  2  meters,  =  1  Newton . 


In  addition,  the  safety  controller  is  designed  with  the  control  gain  K  =  [-2,  -3]. 
Then  the  dynamics  of  the  closed-loop  plant  is  described  by  x  =  Ax  with 


and  constraints : 


lx,|<2 

< 

|u|  <  1,  or  |-  2x,  -  3X2]  ^  1 


and  the  stability  region  is  specified  by  S  =  {x :  x^Q~^x <  1}  with  Qa2x2  symmetric  matrix 
to  be  determined.  Then  the  LMI  problem  is  formulated  as 

minimize  logdetg”’ 
subject  to  Q>0; 

eA^+Aj2<0; 
alQat<l,  k=l,..A, 


where  =[1/2,  0],  al  =[-1/2,  0],  al  =[-2,  -3],  and  al  =[2,  3] .  Solving  this  problem, 
we  obtain  the  Q  matrix  as 


4.0 

2.6686 


-2.6686' 

1.8915 


and  the  stability  region  displayed  in  Figure  4.  (Note:  The  dashed  lines  in  Figure  4  indicate  the 
constraints.) 


*  The  software  can  be  downloaded  via  anonymous  ftp  <http://www.stanford.edu/~boyd/sdpsol/> 
and  <http://www.stanford.edu/-boyd/maxdet/>. 

’  SDPSOL  is  a  parser/solver  for  semidefinite  progranuning  and  determinant  maximization  problems 
with  matrix  structure. 
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X^-Xg  plot 


Figure  4:  The  Stability  Region  (Solid  Line)  of  the  Closed-Loop  Plant  in  Example  4. 1 
with  Control  Law  u  =  -2x^  -  3x2 

4.2  Design  of  the  Safety  Controller 

In  this  case,  we  design  the  safety  controller  and  construct  the  corresponding  stability  region. 
This  is  the  case  when  the  control  gain  K  and  the  matrix  P  (or  Q)  are  determined  jointly.  We 
solve  an  optimization  problem  over  all  possible  K  and  P  (or  Q)  subject  to  the  constraints  such 
that  the  resulting  closed-loop  plant  is  asymptotically  stable  and  the  corresponding  stability 
region  is  maximized.  The  stability  region  obtained  in  this  case  will  be  the  largest  one  given 
by  a  quadratic  Lyapunov  function  with  respect  to  all  possible  Ks  that  render  asymptotic  sta¬ 
bility  in  the  physical  plant.  Since  the  control  gains  are  unknown  in  this  case,  and  the  choice 
of  them  will  be  restricted  by  the  control  constraints,  we  consider  the  dynamics  systems  given 
in  Equation  (8).  Substituting  A  =  A  +  BK  in  Equation  (12),  we  obtain  the  following: 

QA^  +AQ-\-  QK^B^  +  BKQ<0 

By  introducing  the  change  of  variable  Z  =  KQ,ihQ  above  condition  becomes 
QA^  +AQ  +  Z^B'^  +BZ<0 


and  the  constraints  feju  ^1  =>  Kx  KQK^bj  <  1  fej ZQ  ^Z^bj  <  1 ,  where  the 

second  step  is  the  result  of  Lemma  4.1  and  the  third  step  is  due  to  the  change  of  variable. 
Using  the  Schur  complements,  we  convert  the  last  inequality  to  an  LMI  form  as  follows: 


CMU/SEI-99-TR-018 


Then  the  LMI  problem  can  be  formulated  as  follows:  For  the  dynamic  plant  x  =  Ax  +  Bu  with 
control  law  u  =  Kx,  and  the  constraints  aj jc  <  1,  i  =  I,..., I  and  b^jU  <1,  j  =  1,...,  r ,  find  Q 

and  Z  that 


minimizes 
subject  to 


logdetQ  ’ 


G>0: 

QA^  +AQ  +  Z'^B^  +BZ<0-, 


ajQai<l,  /  = 
1 

Z^b 


b]Z 


>0,  7  =  1,..., 


r. 


Again,  this  problem  can  be  solved  by  the  approach  developed  in  [Vandenberghe  98]  and  the 
SDPSOL  software.  Applying  the  change  of  variable,  we  obtain  the  control  gain  K  =  ZQK 

In  some  plants,  not  only  is  the  state  constrained,  but  also  the  rates  of  change  of  state.  Such 
constraints  are  often  called  rate  limits.  In  this  report,  we  consider  the  rate  limits  in  the  form 
c\x<\,  ke  {1,..., n} ,  and  translate  them  to  an  LMI  as  follows: 

clx<l=>  (clA  +  clBK)x<l=>  {clA  +  clBK)Q{,clA  +  clBKy  <\ 

=>  (c[ A  +  cl BZQ-^ )Q {cl A  +  cl BZQ'^  f  <l  => {cl AQ-\- cl BZ)Q-^  {cl AQ  +  c[ BZ) 

_  f  1  clAQ  +  clBZ\ 

[{clAQ  +  clBZf  Q  J 


Therefore,  the  LMI  problem  for  optimization  involving  rate  limits  can  be  stated  as  follows: 
For  the  dynamic  plant  x  =  Ax +  Bu  with  control  law  u  =  Kx  and  the  constraints  af  x  <  1 , 
i  =  1,..., / ,  fejw  <  1,  7  =  1,..., r ,  and  clx<l,  k  =  1,..., q ,  find  Q  and  Z that 


minimizes 
subject  to 


logdetQ  ' 

G>0; 

j2A^  +  AG  +  Z^B^  +  BZ  <  0; 

alQai<l,  1  =  1,...,/; 


1  fcjZ 

Z^bj  Q 

1 


>0,  7=l,...,r; 


cl  AQ  +  cl  BZ 


[{clAQ  +  clBZf  Q 


>0,  k=  1,...,  q. 
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Example  4.2:  To  illustrate  the  design  of  the  safety  controller  together  with  the  derivation  of 
the  corresponding  stability  region,  we  consider  Example  2.1  again.  In  this  case,  the  dynamics 
of  the  plant  are  described  by  x  =  Ax  +  Bu  with 


and  constraints : 


Let  (2  be  a  2x2  symmetric  matrix  and  Z  be  a  2x1  matrix.  Then  the  LMI  problem  is  formu¬ 
lated  as  follows:  Find  Q  and  Z  that 


minimizes 
subject  to 


logdetg”’ 

0>O; 

QA^  +AQ  +  Z^B^  +fiZ<0; 


ajQai<l,  j  =  l,...,/; 


b]Z 
Q  _ 


r. 


where  orf  =[1/2,  0],  aj  =[-1/2,  0],  b^  =1,  and  = -1 .  Solving  this  problem  using 
SDPSOL  software,  we  obtain  Q  and  Z  as 


4.0 

1.2408 


-1.2408‘ 

3.4641 


and  Z  =  [-1.1547,  -1.0746] 


which  determine  the  control  gain:  K  =  ZQ~^  =  [-0.433,  -  0.4653] ,  and  the  corresponding 
stability  region  as  depicted  in  Figure  5.  (Note:  The  dashed  lines  in  Figure  5  indicate  the  con¬ 
straints  of  the  plants.) 
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Figure  5:  The  Stability  Region  (Solid  Line)  for  the  Designed  Safety  Controller  in 
Example  4.2 

We  now  make  a  comparison  of  the  controllers  designed  in  this  subsection  (referred  to  as  the 
designed  controller)  and  the  one  given  in  the  previous  subsection  (referred  to  as  the  given 
controller).  As  mentioned  earlier,  the  designed  controller  results  in  the  largest  stability  region 
of  the  closed-loop  system  with  respect  to  all  the  possible  control  laws  for  stabilizing  linear 
state  feedback.  Figure  6  shows  that  its  corresponding  stability  region  is  indeed  larger  than  the 
one  obtained  from  the  given  controller.  In  addition,  the  performance  of  the  physical  plant  un¬ 
der  the  two  controllers  is  also  different.  The  simulation  results  in  Figure  6  show  that,  in  terms 
of  the  convergence  rate,  the  performance  of  the  plant  under  the  given  controller  is  much  bet¬ 
ter  than  when  it  is  controlled  by  the  designed  controller,  when  the  plant  starts  from  the  state 
[.jc, ,  JC2  ]  =  [1-0,  -  0.8]  in  both  cases.  The  comparisons  of  the  stability  region  and  the  closed- 

loop  system  performance  reveal  a  general  tradeoff  for  linear  state  feedback  control  laws; 
namely,  the  size  of  the  stability  region  and  the  performance  of  the  closed-loop  system  are  in¬ 
versely  related.  This  is  an  important  point  in  the  concept  of  analytic  redundancy  with  respect 
to  the  controller  design  in  the  Simplex  architecture.  Specifically,  since  the  safety  controller  is 
responsible  for  providing  protection,  it  should  be  designed  so  that  the  upgraded  controller  can 
explore  new  functionality  in  a  large  domain  of  the  state  space.  Therefore,  the  primary  goal  in 
the  safety  controller  design  is  to  make  its  operational  region  as  large  as  possible,  and  the  sec¬ 
ondary  concern  may  be  to  increase  the  performance  it  yields.  On  the  other  hand,  the  baseline 
controller  serves  as  the  complement  of  the  safety  controller,  so  its  performance  should  be  the 
first  priority,  and  its  operational  region  becomes  a  minor  issue.  In  summary,  in  the  examples 
that  we  considered,  the  designed  controller  can  serve  as  the  safety  controller,  and  the  given 
controller  can  be  used  as  the  baseline  controller.  An  extensive  analysis  of  the  tradeoff  was 
given  in  the  case  study  on  the  inverted  pendulum  control  system;  see  [Seto  99a]. 
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Figure  6:  Comparisons  of  the  Stability  Region  and  Performance  of  the  Plant  Under 

the  Designed  Controller  and  the  Given  Controllet^ 

The  above  comparisons  also  motivate  a  general  design  strategy  for  the  safety  controller  and 
baseline  controller  from  an  existing  control  algorithm,  which  has  been  used  in  the  past.  In 
particular,  starting  from  the  existing  control  algorithm,  by  adjusting  the  parameters  in  the  al¬ 
gorithm  such  that  the  operational  region  is  enlarged,  we  may  get  a  safety  controller;  by  ad¬ 
justing  the  parameters  to  improve  the  performance  of  the  controlled  system,  we  will  obtain  a 
baseline  controller.  If  the  existing  control  algorithm  is  linear  state  feedback,  the  adjustment  of 
the  control  gains  can  be  carried  out  systematically  using  the  LMI  approaches  that  we  have 
proposed. 

4.3  Further  Improvements  on  Safety  Control  Design 

Previously  we  have  seen  that  the  safety  controller  may  result  in  low  performance  in  the 
closed-loop  system.  Such  a  reduced  performance  may  not  be  acceptable  in  some  systems  be¬ 
cause  the  recovery  by  the  safety  controller  may  take  too  much  time.  In  this  subsection,  we 
will  show  how  to  improve  the  performance  with  respect  to  some  performance  specifications. 
In  addition  to  designing  the  safety  controller  to  maximize  the  corresponding  stability  region 
subject  to  the  constraints,  we  also  require  the  closed-loop  system  to  satisfy  the  given  specifi¬ 
cations.  The  specifications  imposed  on  the  performance  should  be  moderate  so  that  the  corre¬ 
sponding  stability  region  remains  a  reasonably  large  size. 

The  specification  that  we  will  consider  in  this  subsection  is  the  closed-loop  pole  location. 
Depending  on  how  the  specification  is  given,  it  can  have  various  effects  on  performance  (the 
decay  rate,  the  natural  frequencies,  etc.).  Not  only  will  the  performance  of  the  closed-loop 
system  be  affected  by  the  pole  location,  but  the  shape  of  the  resulting  stability  region  will 
change  as  well.  We  will  present  a  general  approach  developed  by  Chilali  and  Gahinet 

*  In  Figure  6,  solid  lines  represent  the  result  obtained  from  the  designed  controller,  and  dotted  lines 
show  the  result  generated  by  the  given  controller.  Again,  the  dashed  lines  indicate  the  constraints. 
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[Chilali  96]  to  incorporate  the  specification  into  an  LMI  problem.  Refer  to  [Seto  99b]  for 
some  examples  in  aircraft  control. 

Definition  4.1;  An  LMI  region  is  defined  as  a  subset  L  of  the  complex  plane  C,  described  by 
L={z:  z€  C,  /i(z)<0} 

where  /i(z)  =  0  +  z^  +  ^’',  and  0  =  0'' e  . 


Theorem  4.1:  Given  an  LTI  system  in  the  form  x  =  Ax,  the  system  is  asymptotically  stable 
with  poles  in  an  LMI  region  L  if  and  only  if  there  exists  a  symmetric  matrix  Q  such  that 

Mi(A,0<O,  0>O 

where  Q)  =  O  ®  g  +  T  ®  ( AQ)  +  ®  (Ag)^ ,  and  ®  denotes  Kronecker  product. 

Corollary  4.1:  Given  an  LTI  control  system  x  =  Ax +  Bu  with  control  law  u  =  Kx,  the  system 
is  asymptotically  stable  with  all  the  poles  in  an  LMI  region  L  if  and  only  if  there  exist  a 
symmetric  matrix  g  and  a  matrix  Z  with  proper  dimensions  such  that 

Mt(A,g,Z)<0,  g>0 

where  (A,  g,  L)  =  O  ®  g  +  T'  ®  ( Ag  +  BZ)  +  '¥^  ®  {AQ  +  BZf .  Moreover,  the  control 

gain  is  determined  by  ^  =  Zg'^ 


Theorem  4.1  and  Corollary  4.1  give  the  LMI  conditions  for  the  system,  with  or  without  con¬ 
trol,  to  be  asymptotically  stable  with  the  specified  pole  location.  When  the  system  involves 
constraints,  additional  LMI  constraints  such  as  we  presented  in  the  previous  subsection 
should  be  considered.  Most  of  the  often-used  pole  location  specifications  can  be  cast  as  LMI 
regions  defined  in  Definition  4.1  and  incorporated  into  the  LMI  conditions  for  stability.  For 
example,  suppose  the  poles  of  a  completely  controllable  system  i:  =  Ax  +  Bm  are  required  to 
be  inside  a  disk  of  radius  r  and  center  (-£?,  0),  >  0,  in  the  complex  plane.  Let  a  complex  pole 
be  denoted  by  z  =  x  +  jy .  Then  the  specified  region  in  the  complex  plane  is  given  by 

(x  +  d)^  +  y^  <r^,OT  (z  +  d)(z  +  d)<r^  because  x  =  (z  +  z)/2,  x^  +y^  =  zz.  Applying 
Schur  complements,  we  obtain  the  LMI  region  given  as 


fL(z)  = 


-r 

z+d 


z  +  d 
—  r 


Jo  o' 

+  z 

ij  [\  0 


and  the  LMI  conditions  for  stability  as 
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M^{A,Q) 


-rQ  dQl  [0  AQ]  T  0  0‘ 

,dQ  -r2j'^[0  0  J’^LgA^  0_ 


-rQ 

QA^  +dQ 


AQ  +  dQ' 
-rQ 


<0,Q>0 


Another  important  specification  is  related  to  the  decay  rate,  namely  the  rate  of  the  trajectories 
of  the  closed-loop  system  converging  to  the  equilibrium.  Such  a  rate  requirement  can  be 
translated  to  the  pole  location  by  making  all  the  poles  of  the  closed-loop  system  located  at  the 
left  side  of  the  vertical  line  x=-d,d>0.  Then  all  the  trajectories  of  the  closed-loop  system 
will  converge  to  the  equilibrium  at  rates  no  less  then  d.  The  specification  of  the  pole  location 
in  this  case  is  given  by  x:  <  -if,  or  fi^(z)  =  2d  +  z  +  Z<0.  Then  the  LMI  conditions  in  Theo¬ 
rem  4.1  are  given  by 

Mj^(A,Q)  =  2dQ  +  AQ  +  QA'^<0,  Q>0 

Incorporating  the  constraints  on  pole  location  into  the  stabilization  problem  will  improve  the 
performance  of  the  closed-loop  system.  This  has  been  demonstrated  in  a  case  study  on  an 
aircraft  auto-landing  control  system  [Seto  99b].  An  extensive  study  on  pole  placement  in  the 
context  of  LMI  is  also  reported  in  [Chilali  96]. 
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5  Conclusions 


In  this  report,  we  addressed  the  semantic  fault  tolerance  issue  in  the  Simplex  architecture. 
Fault  detection  and  recovery  were  established  with  respect  to  the  safety  of  the  physical  sys¬ 
tem  under  control.  Specifically,  faults  are  detected  by  checking  the  safety  of  the  physical 
plant  against  a  predefined  safety  region,  and  the  recovery  is  guaranteed  by  the  safety  con¬ 
troller.  When  the  physical  plant  is  operated  around  an  equilibrium,  the  safety  controller  is 
designed  to  stabilize  the  system  at  the  equilibrium,  and  the  safety  region  is  defined  as  the  sta¬ 
bility  region  of  the  physical  plant  under  the  safety  controller.  By  linearizing  the  plant  at  the 
equilibrium,  a  linear  approximation  of  the  plant  is  obtained.  Based  on  this  linear  model  of  the 
plant,  several  LMI-based  approaches  are  presented  to  (1)  systematically  derive  the  largest 
stability  region  of  the  plant  under  a  given  controller  and  (2)  systematically  design  the  safety 
controller  and  derive  the  corresponding  safety  region.  Figure  7  shows  a  flow  chart  of  this 
complete  procedure  for  developing  the  semantic  fault  tolerance  mechanism  using  LMI. 
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Figure  7:  A  Development  Cycle  for  Semantic  Fault  Tolerance  Mechanism  Using 
LMI 
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